For policy based network management, users typically specify high-level end-to-end management policies that are implemented on a network through intensive computations. As an example, security policies manage firewalls to specify which traffic streams should be allowed and which traffic streams should be excluded from the network. All possible routing paths must be computed in order for the security policy to be implemented on the appropriate firewalls. This includes identifying the firewalls for all of the communication paths, and providing the appropriate device commands for the firewalls to enforce the security policy.
The computation required to implement such a security policy is intensive, and directly related to the size and complexity of the network topology. For example, some network topologies incorporate commercial software such as CiscoSecure Policy Manager from Cisco Systems Inc. to implement security policies. To configure a security policy in the network topology for a source and a destination, all possible communication paths between the source and the destination must be identified and considered in configuring the security policy. In some cases, each network element subject to the security policy is accounted for in a manner such that the computational processing and complexity is N factorial, where N is the number of network elements. As a result, configuring security policies for a network may require several days of computations by a high-level server.
In addition, the overwhelming details of the entire network may make it difficult to analyze or even view.
Based on the foregoing, there is a clear need in the field for a way to reduce the amount of processing time involved in configuring networks for policy management. There is a specific need for a way to reduce the number of nodes in a representation of network topology for purpose of policy management.